Discard session token after n failed attempts

[ejain]

Should have some protection against brute-forcing security codes, especially since TOKEN_LENGTH can be set to a low value like 4...

[CuriousLearner]

Thanks for the suggestion.

I would suggest a setting that controls the MIN_TOKEN_LENGTH. We may have another setting to discard the token after n failed attempts where n can be configured through another setting. If you'd like to work on this and raise a PR, I'll be happy to merge it.

[Kaos599]

hey @CuriousLearner can i work on this and can you assign this with hacktoberfest label?

[CuriousLearner]

@Kaos599 Yes please, you're welcome to raise a PR. Please let me know if you've any questions.

[Kaos599]

@CuriousLearner Hey! I've implemented brute force protection for SMS verification codes as suggested. Added MIN_TOKEN_LENGTH and MAX_FAILED_ATTEMPTS settings with session-based failed attempt tracking and lockout.

This addresses the TOKEN_LENGTH vulnerability and provides configurable protection against brute force attacks.
Sessions are discarded after exceeding the failed attempt threshold.

Please review whenever you are free and let me know the feedback!

---

Also i would appreciate it if you could assign it with a hacktoberfest label